A vulnerability in the Amazon Q Developer allowed attackers to obtain AWS credentials from malicious repositories through compromised MCP servers.

      A critical vulnerability in Amazon Q Developer enabled a rogue code repository to execute commands on a developer's machine without detection, potentially allowing attackers to exfiltrate AWS credentials. Wiz Research identified the flaw, designated as CVE-2026-12957, and reported it to Amazon on April 20. Amazon addressed the issue on May 12, with the public disclosure occurring today.

      The exploit targeted Amazon Q Developer's handling of MCP servers, which facilitate connections between AI coding assistants and external tools and data sources. A configuration file located in a repository would automatically register and activate a server controlled by an attacker as soon as a developer cloned the project, without requiring any user consent. This server gained access to the developer's full AWS credentials, IAM role, and all other relevant environment variables associated with the IDE plugin.

      Wiz researchers illustrated the vulnerability by creating a proof of concept that executed a standard AWS identity command through the malicious MCP server, forwarding the output to an external server. The command revealed the developer's AWS account ID, user ARN, and session credentials, providing attackers with everything needed to access cloud resources. Since the MCP server was initiated automatically upon opening the repository, no action other than cloning the code was necessary, a scenario that has already facilitated supply chain attacks in other AI coding platforms.

      Amazon rectified the vulnerability by implementing a requirement for explicit user consent before any MCP server can be activated and by limiting the access of environment variables to MCP servers. Additionally, a second vulnerability, CVE-2026-12958, discovered during the same review, indicated that the plugin did not verify symbolic links when creating workspace files. This oversight allowed an attacker to write arbitrary files anywhere on the developer's machine. Both issues were patched in the latest versions of Language Servers for AWS and the corresponding IDE plugins for platforms like VS Code, JetBrains, Eclipse, and Visual Studio.

      This disclosure adds to the increasing list of AI coding tools that have been found vulnerable to supply chain attacks that leverage the inherent trust placed in repository content. Earlier this year, Anthropic’s Claude Code suffered a similar credential-theft vulnerability through prompt injection in GitHub Actions. There have also been disclosures regarding MCP-related vulnerabilities from Cursor and Codeium’s Windsurf in recent months.

      The core issue lies in the design of MCP, which allows AI assistants to access external tools with the same permissions as the host application. When a repository can silently register an MCP server that inherits a developer's cloud credentials, the potential attack surface extends beyond the code itself to encompass every service the developer can access. Amazon asserts that there is no evidence suggesting the flaw has been exploited in real-world scenarios, and CISA's advisory database does not record any known attacks.

      Developers utilizing Amazon Q Developer are advised to promptly update their IDE plugins to the latest versions and examine any recently cloned repositories for unforeseen configuration files. The overarching takeaway remains consistent across AI developer tools: any configuration file capable of triggering code execution upon cloning poses a significant risk, and the tools that execute it automatically compromise security.